How can businesses ensure HIPAA compliance?
With recent changes in HIPAA standards announced earlier this week, we wanted to examine how healthcare organizations of all sizes could ensure complicance from a technological perspective. We spoke to NCP Engineering's Rene Poot for his thoughts:
HIPAA is a collection of standards striving for an effective and efficient method of exchanging information to the right people in a secure manner, thereby creating streamlined workflows in an electronic environment, and so delivering higher quality yet affordable health care. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
This ranges from keeping file cabinets/record rooms locked, stricter access controls to computers (password requirements or smart card authentication), to the more complex data storage, digital signatures to ensure non-repudiation, etc.
Let's focus on the PHI that is being transmitted, or in other words, when Electronic Protected Health Information is being transported over open networks: that's where secure communication plays a role; this is where NCP steps up to the plate. These requirements are not by any means limited to HIPAA, as these same requirements are also applicable to the financial institutions, government departments, police departments, and so forth.
What our customers in these different fields appreciate is NCP's understanding of secure communications: the safeguarding of the data in transit; but also verifying the authenticity and authorization of the person receiving and transmitting the information by means of strong authentication (multi-factor authentication). The HIO in question can select which vendor/provider they want to use for this; be it a PKI environment with smart cards or an OTP setup, NCP is flexible and will allow for this freedom of choice.
- Strong Authentication: the assurance to one entity that another entity is who he, she, or it claims to be,
- Integrity: the assurance to an entity that data has not been altered (intentionally or unintentionally) in transit,
- Confidentiality: the assurance to an entity that no one can read a particular piece of data except the receiver(s) explicitly intended.
Of course one can impose a lot of restrictions on the user; but besides some user awareness (often overlooked; as not everything can be locked down by technology -- think about discussions about patients and treatments in public areas between personnel or with family members), is user-friendliness. When a user is confronted with a lot of barriers that keep them from performing their work in an efficient effective manner, they will inevitably find a way to circumvent this. By making the procedure of establishing a secure connection as easy and as transparent as possible for the user, yet maintaining a high level of security, an administrator can tick this requirement on the list and have the assurance that this base is covered.